108e1b80aa88cd63ca2f6f43762e6b5bce09d8a9c676efff6f2bbb6abd309ca0

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_05315f482713e270bea2a267e5253203_cryptolocker.exe
Size

36KB
MD5

05315f482713e270bea2a267e5253203
SHA1

1a0642d5161860c38d7eb04f90883b7e1bb8663b
SHA256

108e1b80aa88cd63ca2f6f43762e6b5bce09d8a9c676efff6f2bbb6abd309ca0
SHA512

847dc7cf17b532b2ff0fa421ed6baa6030abb738b13490f7c8fc6858376a9f351f4c63b38677a6c7e70344c10390bf777eb536885921d6d2b59a4fb8394d4ac3
SSDEEP

384:btBYQg/WIEhUCSNyepEjYnDOAlzVol6U/zzo+tkq4l8tFFxE2B0q8bC:btB9g/WItCSsAGjX7r3BTAC

Score

9^/10

Malware Config

Signatures

Detection of CryptoLocker Variants 1 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224d-10.dat	CryptoLocker_rule2

Executes dropped EXE 1 IoCs

pid	Process
2704	gewos.exe

Loads dropped DLL 1 IoCs

pid	Process
1808	2024-04-10_05315f482713e270bea2a267e5253203_cryptolocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1808	2024-04-10_05315f482713e270bea2a267e5253203_cryptolocker.exe
2704	gewos.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2704	1808	2024-04-10_05315f482713e270bea2a267e5253203_cryptolocker.exe	28
PID 1808 wrote to memory of 2704	1808	2024-04-10_05315f482713e270bea2a267e5253203_cryptolocker.exe	28
PID 1808 wrote to memory of 2704	1808	2024-04-10_05315f482713e270bea2a267e5253203_cryptolocker.exe	28
PID 1808 wrote to memory of 2704	1808	2024-04-10_05315f482713e270bea2a267e5253203_cryptolocker.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-10_05315f482713e270bea2a267e5253203_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_05315f482713e270bea2a267e5253203_cryptolocker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\gewos.exe
  "C:\Users\Admin\AppData\Local\Temp\gewos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\gewos.exe

Filesize
36KB

MD5
b875cedd50e99fbee2ebc8c0d712d08a

SHA1
1f480e211f08352368a81d80e913e77dd436466c

SHA256
2289e6afe5077256281687b6215dd42fb552f17c70e14242fdf134860f74b651

SHA512
b842aa6e7749c2c92a0eeb7db596671dcaea95c35c54b59d0992d48c3ca7d2623a2cba7331249233ff34c37e6b58076d8d25cf0e757fa076e10547864f8e507f

Download Submit
memory/1808-0-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/1808-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1808-7-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download